The Random package generates cryptographically secure random values

The Random package by Stephen Rees-Carter, generates cryptographically secure random values in a range of different formats through a simple helper package for PHP. Here is why this package was created:

Something I commonly encounter during my security audits (especially on older codebases) is insecure randomness, usually in places where security is required. It’s usually using some form of rand(), often injected inside md5() to generate a random hash, combined with str_shuffle() to generate new passwords, or used to make an One-Time Password (OTP) with rand(100_000, 999_999).

The problem is rand() is not cryptographically secure, and neither is mt_rand(), mt_srand(), str_shuffle(), array_rand(), or of the other insecure functions available in PHP. We can’t simply declare these methods insecure, drop the mic, and walk away. Instead, we need to provide secure alternatives - so rather than simply saying “don’t use rand() in that way”, we can say “here’s a secure method you can use instead”!

Here are some examples of what you can do with this Random package:

#Random One-Time Password (Numeric fixed-length OTPs)

Generate a random numeric one-time password (OTP) of $length digits:

$otp = Random::otp(int $length): string;

Useful for generating OTPs for SMS or email verification codes.

#Random String

Generate a random string of $length characters, which includes characters from the enabled character types. By default, it will randomly select characters and not guarantee any specific character types are present. If you require one of each character to be included, you can set $requireAll = true.

// Primary method
$string = Random::string(
    int $length = 32,
    bool $lower = true,
    bool $upper = true,
    bool $numbers = true,
    bool $symbols = true,
    bool $requireAll = false
): string;

The string method also comes with nice wrappers for common use cases:

// Random letters only
$letters = Random::letters(int $length = 32): string;
 
// Random alphanumeric (letters and numbers) token string
$token = Random::token(int $length = 32): string;
 
// Random letters, numbers, and symbols (i.e. a random password).
$password = Random::password(int $length = 16, bool $requireAll = false): string;
 
// Random alphanumeric token string with chunks separated by dashes, making it easy to read and type.
$password = Random::dashed(int $length = 25, string $delimiter = '-', int $chunkLength = 5, bool $mixedCase = true): string;

#Shuffle Array, String, or Collection

Securely shuffle an array, string, or Laravel Collection, optionally preserving the keys.

$shuffled = Random::shuffle(
    array|string|\Illuminate\Support\Collection $values,
    bool $preserveKeys = false
): array|string|\Illuminate\Support\Collection;

#And more

Visit the official package page on GitHub for complete details, and also check out the announcement post.